Securing Your Odoo Instance: The 10-Point Checklist
From admin password policies to XML-RPC access control, here's the definitive security checklist for production Odoo instances.
Odoo powers business-critical operations — CRM, accounting, inventory, HR. A security breach doesn't just leak data; it can halt entire business operations. Yet many production Odoo instances ship with default configurations that leave them vulnerable.
Here's the 10-point security checklist every Odoo administrator should follow.
1. Disable the Default Admin Account
The default admin user with password admin is the #1 attack vector. Always change it immediately after installation. Better yet, create a new admin user with a strong, unique password and disable the original.
2. Restrict XML-RPC Access
Odoo's XML-RPC endpoint (/xmlrpc/2/) provides programmatic access to your entire database. If you don't need external API access, block it at the firewall or reverse proxy level. If you do, restrict it to known IP addresses.
3. Enable HTTPS Everywhere
All Odoo traffic should go through HTTPS. Configure your reverse proxy (Nginx, Caddy, or Apache) with a valid SSL certificate and redirect all HTTP traffic to HTTPS. Set the proxy_mode = True parameter in your Odoo config.
4. Configure Proper Access Groups
Review your user access groups regularly. Common issues:
- Users with "Technical Features" who don't need it
- External users with internal access rights
- Multiple users sharing a single admin account
- Deactivated employees whose accounts are still active
5. Audit Custom Module Code
Custom modules are the biggest security risk in most Odoo installations. Look for:
- Raw SQL queries (SQL injection risk)
- Use of
eval()orexec() - Hardcoded credentials or API keys
- Missing access control decorators on controllers
6. Secure Your Database Manager
The database manager (/web/database/manager) allows creating, duplicating, and deleting databases. In production, either disable it entirely with list_db = False or protect it with a strong master password.
7. Monitor Scheduled Actions
Cron jobs (ir.cron) run with elevated privileges. A compromised or misconfigured cron can cause data corruption. Monitor cron execution logs and set up alerts for failures.
8. Keep Modules Updated
Subscribe to Odoo's security advisories. When patches are released, apply them promptly. Deprecated modules that no longer receive security updates are a ticking time bomb.
9. Implement Backup Rotation
Automate daily database backups with at least 7-day retention. Store backups off-server (not on the same machine as your Odoo instance). Test restores regularly — a backup you can't restore is worthless.
10. Use Automated Security Scanning
Manual security reviews are necessary but not sufficient. Automated scanners can check for known vulnerabilities, misconfigurations, and security anti-patterns on every scan. OdooPulse's security audit module covers all 10 points in this checklist — automatically.
Run a free security scan on your Odoo instance and get your security score in under 60 seconds.